Critical Flaws Found in Popular WordPress Plugin

JPCERT specialists are raising alarms about a series of critical vulnerabilities in the Forminator plugin for WordPress, developed by WPMU DEV. This plugin, utilized by over 500,000 websites, enables the creation of various forms without extensive programming knowledge.

A particular vulnerability, identified as CVE-2024-28890 and rated 9.8 on the CVSS scale, permits cybercriminals to remotely upload malicious code to websites employing this plugin. This could lead to the leakage of sensitive information, alteration of website content, and potentially a complete denial of service.

Furthermore, JPCERT also highlights additional security issues, including an SQL injection vulnerability (CVE-2024-31077, rated at 7.2) and a cross-site scripting vulnerability (CVE-2024-31857, rated at 6.1). These flaws allow remote attackers to access and modify user information and disrupt website operations.

Attacks exploiting CVE-2024-28890 have already been recorded. Additionally, statistics from WordPress.org indicate that although there are over 500,000 active installations of the plugin, only 55.9% have been updated to version 1.29, which addresses these vulnerabilities. This means that approximately 220,000 sites remain vulnerable to attacks.

Developers strongly recommend that website administrators update the plugin to the latest version as soon as possible to protect their resources from potential cyberattacks.

It is noteworthy that at the end of last August, the Forminator plugin similarly stirred the information space due to vulnerability CVE-2023-4596, which allowed unauthorized perpetrators to upload malicious files to vulnerable sites. Now, eight months later, the situation has unfortunately repeated itself.